Comments

: Whats the best way to filter out the | (pipe) command from form inputs?: : Our site was hacked using 'script.cgi?page=index.html|cat%20telnet.pl|' and I need to find a way to stop that.: : Thanks,: David:

I just added a s/|//g to the query string and that seems to do the trick.

: : Whats the best way to filter out the | (pipe) command from form inputs?: : : : Our site was hacked using 'script.cgi?page=index.html|cat%20telnet.pl|' and I need to find a way to stop that.: : : : Thanks,: : David: : : : I just added a s/|//g to the query string and that seems to do the trick.: No, no. You validate your input data for what is ALLOWED, not try and hack out the disallowed stuff (most of the time, anyway). So check your input against a pattern like /^[w.-]+$/. Otherwise I can just supply /etc/passwd as the file and off we go again.